Apple Fixes Alarming Spyware Vulnerability On iPhone, iPad, Watch And Mac, Update ASAP

apple fixed three security vulnerabilities to prevent triangulation spyware
This week, Apple patched three vulnerabilities that could lead to Triangulation spyware making it to your device with a zero-interaction exploit delivered through an invisible iMessage. Thus, update your devices as soon as able to patch these vulnerabilities and remain safe from the threat actors exploiting them.

Per Apple Support security content updates, updates for iOS, iPadOS, macOS, and watchOS all contain fixes for the three vulnerabilities that allow TriangleDB to work. The first vulnerability, tracked as CVE-2023-32434, was one of two credited to Kaspersky researchers and is a kernel-level vulnerability that "may have been actively exploited against versions of iOS released before iOS 15.7." The second vulnerability, CVE-2023-32439, is a WebKit problem wherein the maliciously crafted web content could yield arbitrary code execution, which may have been exploited in the wild.

infection chain apple fixed three security vulnerabilities to prevent triangulation spyware
The Operation Triangulation infection chain.

The third and final vulnerability, CVE-2023-32435, is also a WebKit vulnerability credited to the Kaspersky team. Affecting older Apple devices, this vulnerability revolved around the processing of web content that could lead to arbitrary code execution and may have also been exploited in the wild. As Apple published the fixes for these vulnerabilities, Kaspersky published some more insight into what happened with what is called Operation Triangulation.

tweet apple fixed three security vulnerabilities to prevent triangulation spyware

The two vulnerabilities credited to Kaspersky led to the TriangleDB implant at the end of the Operation Triangulation infection chain. This chain is kicked off when a victim receives an iMessage with a malicious attachment that they do not see nor need to interact with, after which attackers gain root privileges on the victim's device. With this access, the attacker then deploys the TriangleDB implant to memory, which means that if a device is restarted, then the implant is lost, and the attack must start again. Provided the device is not restarted, though, the implant will automatically yeet itself after 30 days provided the attackers do not extend the spyware duration.

heartbeat apple fixed three security vulnerabilities to prevent triangulation spyware
The implant periodically sends out 'heartbeat beacons' to the C2 including the above information.

As far as capabilities go, TriangleDB can interact with the filesystem, including exfiltrating files, interacting with processes, dumping keychain items to get credentials, monitoring the victim's geolocation, and running other malicious modules that also run in memory. All of this was discovered after the Kaspersky Unified Monitoring and Analysis Platform (KUMA) platform discovered "an anomaly in [Kaspersky's] network coming from Apple devices." This turned out to be Triangulation spyware that had infected the iPhones of senior employees at the company.

However, Kaspersky believes that they were not the main target of the cyberattack. It is currently unclear who was to be the main target, but the Kaspersky blog uses the term "worldwide proliferation" concerning the spyware, so technically, anyone is at risk. Therefore, update your devices as soon as you can to protect yourself from the Triangulation spyware.